Skip to main content

Req (Elixir) CVE-2026-49755

| EUVDEUVD-2026-35098 HIGH
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-06-08 EEF
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 18:16 vuln.today
Analysis Generated
Jun 08, 2026 - 18:16 vuln.today
CVSS changed
Jun 08, 2026 - 16:22 NVD
8.2 (HIGH)
CVE Published
Jun 08, 2026 - 15:20 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.

Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.

Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.

This issue affects req: from 0.1.0 before 0.6.1.

AnalysisAI

Memory exhaustion in wojtekmach Req (Elixir HTTP client) versions 0.1.0 through 0.6.0 allows attacker-controlled HTTP servers to crash the BEAM process via decompression-bomb response bodies. Because Req enabled automatic body decompression and archive decoding by default with no size caps, a sub-megabyte response advertising gzip/zip/tar content can expand to multiple gigabytes in memory. No public exploit identified at time of analysis, but the fix and root cause are documented in the upstream advisory GHSA-655f-mp8p-96gv.

Technical ContextAI

Req is a widely used Elixir HTTP client built on top of Finch and the BEAM standard library. The vulnerability lives in lib/req/steps.ex, where decode_body/1 dispatches on the server-supplied Content-Type (or URL extension) and calls Erlang/OTP primitives :zip.extract/2, :erl_tar.extract/2 with the [:memory] option, materializing the entire decompressed archive as an in-memory [{name, bytes}] list. decompress_body/1 likewise chains :zlib, :brotli, and :ezstd decoders driven by the Content-Encoding header, allowing a layered encoding such as gzip, gzip, gzip to inflate without bound. This is a classic CWE-409 (Improper Handling of Highly Compressed Data / decompression bomb) issue, made worse because Req also follows redirects automatically - so a benign-looking initial request can land on an attacker-controlled host that returns the bomb.

RemediationAI

Vendor-released patch: upgrade Req to 0.6.1 or later (commit 84977e5b1a83f26e749d55ad06e3625464af4e8d), which changes the default of the :compressed option from true to false and only runs decompress_body/1 when the caller explicitly opts in with compressed: true - see https://github.com/wojtekmach/req/commit/84977e5b1a83f26e749d55ad06e3625464af4e8d and the advisory at https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv. If immediate upgrade is not possible, callers should pass raw: true to Req.get!/Req.request to bypass decompress_body/1 and avoid decoding application/zip, application/x-tar, application/gzip, or .tgz responses, accepting the trade-off that the application must handle compressed bytes itself; alternatively, disable Req's automatic redirect following (redirect: false) and restrict outbound fetches to allowlisted, trusted hosts to shrink the attacker-controlled-server exposure. Resource ceilings on the BEAM (e.g., +MMscs, container memory limits, or process-level supervision) reduce blast radius but do not address root cause.

Share

CVE-2026-49755 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy